tag:www.schneier.com,2016:/blog//2/tag:www.schneier.com,2011:/blog//2.4071-2016-09-03T05:05:10ZComments for Security Seals on Voting MachinesA blog covering security and security technology.Movable Typetag:www.schneier.com,2011:/blog//2.4071-comment:604973Comment from OldFish on 2011-10-10OldFish
Didn't some machines include WiFi and usb ports. The seals stop those interfaces, right?]]>
2011-10-10T20:10:21Z2011-10-10T20:10:21Ztag:www.schneier.com,2011:/blog//2.4071-comment:604928Comment from paul on 2011-10-10paulhttp://alltoosimple.wordpress.com
Appel has reported previously on the physical security for the voting machines in question. Not terribly good unless you consider a hallway in a building that is mostly unoccupied at night and on weekends to be "good".]]>
2011-10-10T18:45:40Z2011-10-10T18:45:40Ztag:www.schneier.com,2011:/blog//2.4071-comment:604697Comment from Danny Moules on 2011-10-10Danny Mouleshttp://www.rushyo.com
"What happens if you do it three times?"

Security seals become considered an invalid form of protection and therefore, by political logic, the vote must continue without them.

We must do something. This is something, therefore we must do it...

]]>
2011-10-10T09:54:49Z2011-10-10T09:54:49Ztag:www.schneier.com,2011:/blog//2.4071-comment:604581Comment from Earl Mardle on 2011-10-09Earl Mardlehttp://www.keynet.co.nz
Then there's the meta attack.

Get amongst the machines and damage the seals of enough of them and you invalidate the election.

Do it once and you create a nuisance, do it twice and you create a serious problem.

What happens if you do it three times?

]]>
2011-10-10T03:11:14Z2011-10-10T03:11:14Ztag:www.schneier.com,2011:/blog//2.4071-comment:604562Comment from Tony H. on 2011-10-09Tony H.
Andrew Appel is a computer scientist, and he did some amateur seal-defeating demonstrations in court to show that any basement handyman type could break a lot of the voting machine security. But he references the reports produced for the court by Roger Johnston, who is a professional seals (and other neat stuff) guy at Argonne National Laboratory, and whose redacted report is available at http://www.cs.princeton.edu/~appel/voting/Johnston-AnalysisOfNJSeals.pdf . In many ways the Johnston report makes for more interesting reading, though they each reference the other, and are complementary (and complimentary).]]>
2011-10-10T02:38:29Z2011-10-10T02:38:29Ztag:www.schneier.com,2011:/blog//2.4071-comment:604221Comment from Dirk Praet on 2011-10-09Dirk Praet
@ Mostly Harmless

"What an excellent opportunity for a Denial-Of-Service attack, especially when only machines in political districts heavily favored by your opponent are targeted."

Not really. Tampering will only be succesfull when it goes undetected. In any other case - and in a normal democracy - it will lead to invalidation of the result in that district and a repitition of the process.

]]>
2011-10-09T10:44:24Z2011-10-09T10:44:24Ztag:www.schneier.com,2011:/blog//2.4071-comment:604097Comment from Peter Maxwell on 2011-10-08Peter Maxwell
The seals aren't particularly critical on the grand scheme of election security, if they are then the whole election setup is seriously flawed to being with.

I think the UK and Scotland operate different safeguards to the US. For example, here each ballot paper is numbered and can theoretically be linked back to the voter, although this is highly unlikely and there are strict regulations surrounding this.

In any instance, the ballots are numbered so if there is a dispute it is possible to tell whether there are duplicates or ballots that shouldn't be there. So "stuffing" wouldn't work, you'd have to *replace* ballots.

It also is not the parties but the state (electoral commission?) that runs the elections and to the best of my knowledge, party representatives aren't allowed to canvas in the voting stations either. So there really isn't any window for party employees to do any tampering. Then there is the consideration that there are always a fair number of staff at voting stations, so the opportunity is further diminished.

Anyway, to put tamper proof seals into perspective, just look at the 2007 Scottish elections: a mere "redesign" of the ballot papers managed to confuse matters so much that the margin in many constituencies was dwarfed by the number of spoilt ballots. Now *that* was a seriously dodgy election, but no physical tampering involved - it was all agreed in Parliament well before the election.

]]>
2011-10-09T04:19:03Z2011-10-09T04:19:03Ztag:www.schneier.com,2011:/blog//2.4071-comment:604037Comment from Bad Admin on 2011-10-08Bad Adminhttp://badadm.com
Andrew Appel is now officially my big hero.]]>
2011-10-09T00:41:44Z2011-10-09T00:41:44Ztag:www.schneier.com,2011:/blog//2.4071-comment:603986Comment from jammit on 2011-10-08jammithttp://jammitweb.blogspot.com/
Silly me. Whenever I've come across a tamper evident seal, I just remove the seal and carefully clean off the "void" residue that's left behind. This leaves a clean surface that upon inspection seems to have had no seal at any time.]]>
2011-10-08T22:50:10Z2011-10-08T22:50:10Ztag:www.schneier.com,2011:/blog//2.4071-comment:603517Comment from Henning Makholm on 2011-10-07Henning Makholmhttp://blog.henning.makholm.net/
Andrew Appel is now officially my hero.]]>
2011-10-08T01:57:55Z2011-10-08T01:57:55Ztag:www.schneier.com,2011:/blog//2.4071-comment:603428Comment from Seiran on 2011-10-07Seiran
Even a perfect voting machine seal won't protect from the worst and most likely kind of insider attack: from precinct workers, county officials, state employees, even the vendors. The very people who are charged with counting the ballots and securing the election could be - and arguably have already been - the ones who subvert it.

Now, let us imagine that the vendor has placed a perfectly tamperproof seal over the critical components of the machine, and all end-user maintenance is performed under two-person control. How do we know that the developers haven't inserted their own prank features?

What an excellent opportunity for a Denial-Of-Service attack, especially when only machines in political districts heavily favored by your opponent are targeted.

]]>
2011-10-07T21:36:21Z2011-10-07T21:36:21Ztag:www.schneier.com,2011:/blog//2.4071-comment:603401Comment from LinkTheValiant on 2011-10-07LinkTheValiant
The main problem in creating modern seals is that they must fulfill two diametrically opposed criteria:
1. They must be robust enough to be understood and applied by untrained amateurs under suboptimal (for the election officials) conditions.
2. They must be fragile enough to break or otherwise provide evidence of failure under attack by professionals in ideal (for the attackers) conditions.

Not ONE of the seals described in the paper fulfilled these two conditions. Given the availability of attack tools today, it is unlikely that any seals can be created that fulfill these two conditions.

And that in turn means that any sealing that must be done will need to be done by the manufacturer (or a suitably trained election seal applicator) under controlled conditions. Which then leads to the manufacturer or applicator controlling the election process by default.

]]>
2011-10-07T20:54:06Z2011-10-07T20:54:06Ztag:www.schneier.com,2011:/blog//2.4071-comment:603373Comment from karrde on 2011-10-07karrdehttp://wildekarrde.mee.nu
I am assuming that, given enough resources, tamper-evident seals can be pierced in a non-evident manner.

Is it usually a social-engineering task, or a mechanical-task, or a combination of the two?

The election systems I took part in usually required some form of documentation, and two individuals from distinct political parties, in both breaking and putting seals in place. The number of the seal in question is recorded for both the breaking and the settings.

However, one of the types of seals we saw was a zip-tie-style mechanism. I assume that mechanical adeptness and proper tools could defeat that. Another was a metal-band-mechanism that is functionally similar to a zip-tie. Again, proper tooling may allow seal to be removed.

Most of the security actually came from controlling access to the sealed object. The City Clerk in question set up a 2-person-rule. The machines that handled the counting, the voted ballots, etc., were always handled by pairs of people. Usually pairs of people who had declared themselves as members of distinct political parties.

While this doesn't make things perfect, it does make it much harder for a solo operator to tamper with any single piece of election-data. Also, any solo operator would typically only be able to affect one precinct's returns.

Again, not perfect, but the seals, the procedures, and the two-person rule act as a sort of defense in depth. Not just a defense against malice, but also a defense against some varieties of innocent mistakes...

]]>
2011-10-07T19:58:29Z2011-10-07T19:58:29Ztag:www.schneier.com,2011:/blog//2.4071-comment:603370Comment from Freiheit on 2011-10-07FreiheitSecurity seal iz watchin u steel votes]]>
2011-10-07T19:57:23Z2011-10-07T19:57:23Ztag:www.schneier.com,2011:/blog//2.4071-comment:603340Comment from Petréa Mitchell on 2011-10-07Petréa Mitchell
Excellent paper! I don't think I've seen so many seal types examined all at once before.

New Jersey appears to be working with laws specifying procedures that assume mechanical voting machines (not that this is unusual in the US). E.g. here: "Such representatives shall certify ... that all of the counters are set at zero (000) ... Every voting machine shall be furnished with a lantern, or an electric light fixture, which shall give sufficient light to enable voters while voting to read the ballots and be suitable for use by the district board in examining the counters."